Skip to main content

HIPAA and Research Using Health Information

Research may often involve obtaining, creating, using, storing and/or disclosing a broad range of health information. This information may be obtained by researchers directly from individuals about whom the health information pertains, such as through interactions between researchers and those individuals. Additionally, researchers may obtain health information indirectly, such as by acquiring an individual's health information from others who already have or may in the future directly collect the information themselves, such as health professionals or even other researchers. Regardless of whether obtained directly or indirectly, the use and/or disclosure of an individual's health information for research purposes may be subject to what is referred to as the HIPAA (Health Insurance Portability and Accountability Act of 1996) Privacy Rule, a federal law that establishes specific requirements to protect individual's privacy and the confidentiality of their health information.

Click on our HIPAA Privacy Rule & Research algorithm to check out FSU requirements; click on one or more of the panels below to learn more, including what to do if the HIPAA Privacy Rule applies to your research.

The HIPAA Privacy Rule consists of numerous administrative, physical and technical standards to protect individuals' health information privacy and the confidentiality of their health information. These standards are national in scope and apply for example, to certain health care providers (including at FSU, which providers may be referred to as covered or "health care" components) as well as to certain health plans such as group health or other medical insurance (including insurance provided to FSU employees, Medicare and Medicaid) that conduct certain health care transactions electronically. Once deemed subject to the HIPAA Privacy Rule these health care providers and health plans are officially referred to as "covered entities". An individual's identifiable health information that covered entities use or disclose for covered functions such as furnishing, billing and paying for health care (including treatment, supplies and services), regardless as to its form or format (e.g., paper, verbal, audio as well as electronic) may be referred to as "Protected Health Information" or PHI. Persons or entities that perform certain functions on behalf of covered entities and to whom a covered entity uses or discloses PHI are referred to as "business associates", to which the HIPAA Privacy Rule also applies. 

Most basically, the HIPAA Privacy Rule establishes limits, restrictions and conditions on the use and/or disclosure of PHI, including the requirement that such use and/or disclosure is ONLY permitted AFTER an individual (or their legal personal representative), about whom the PHI pertains, provides a specific authorization ("HIPAA Authorization") for such use and/or disclosure. Some limited exceptions may apply, including uses and/or disclosures for research purposes but only under very specific conditions. The HIPAA Privacy Rule also establishes rights that individuals have with regard to their PHI, including being informed about a covered entity's privacy practices; a written accounting of disclosures for research; inspecting and obtaining a copy of their health records; requesting corrections to their health information; and restricting certain uses and disclosures of PHI. Covered entities must provide a notice of their privacy practices on a publicly-facing web page.

Visit the U.S. Department of Health and Human Services to access their summary of the HIPAA Privacy Rule.

Protected Health Information (PHI)

PHI is any individually identifiable health information that appears in any record maintained by a covered entity and which pertains to an individual's past, present, or future health status, and which information is created, collected, transmitted or maintained by the covered entity in relation to the provision of healthcare, payment for healthcare services, or use in healthcare operations.

To be considered PHI the health information must be both personally identifiable or recognizable to the individual about whom the health information pertains, AND used or disclosed to a covered entity during the course of healthcare, payment for healthcare services, or use in healthcare operations.

PHI may exist in many different forms and formats: electronic, verbal, and written, including for example the following:

  • Billing or claims information from a health care provider
  • Results from diagnostic exams, procedures and laboratory tests (e.g., x-rays, biopsies, images, blood or urine tests, physical or psychological exams, biospecimens, medical screenings)
  • Any document or record that contains an individual's name and the name of their health care provider
  • Any document or record that contains a Medicaid, Medicare or other health-related beneficiary identification
  • An email or other communication to or from an individual and their health care provider about the individual's hospitalization, health visit, appointment or prescription

Key Tip: if a device or application stores, records, or transmits individually identifiable health information to within or to a covered entity, then the information may be considered PHI.

The following information (referred to as "identifiers") renders health information identifiable:

  1. Names
  2. All geographical subdivisions smaller than a state, except for the initial three digits of a zip code if, according to the current publicly available data from the U.S. Bureau of the Census: the geographic unit formed by combining all zip codes with the same three initial digits contains more than 20,000 people; and the initial three digits of a zip code for all such geographic units containing 20,000 or fewer people is changed to 000
  3. All elements of dates (other than year) directly related to an individual
  4. Telephone Numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health insurance beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web Universal Resource Locators (URLs)
  15. Internet Protocol (IP) address numbers
  16. Biometric identifiers, including finger, retinal and voice prints
  17. Full face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code except a unique code assigned by the investigator to code the data and which is not derived from or related to information about the individual and is not otherwise capable of being translated so as to identify the individual

Covered Entity

Covered entities may include individuals or organizations that transmit PHI for transactions for which the U.S. Department of Health and Human Services has adopted standards. Such transactions may include health-related care billing or claims, payment and remittance advice, healthcare status, coordination of benefits, enrollment and disenrollment, eligibility checks, healthcare electronic fund transfers, and referral certification and authorization. Covered entities may fall into one or more of three categories: healthcare providers, health plans,  and healthcare clearinghouses.

The HIPAA Privacy Rule also applies to individuals or organizations that are deemed "business associates" of a covered entities when those individuals or organizations provide covered entities with certain services, and with or to whom the covered entities' PHI may be used and/or disclosed. Common business associates may include medical transcription services, health insurance claims processing companies, health data/cloud service providers, electronic health record vendors, and legal and accounting firms.

Covered entities most often consist of the following organizations and those persons who work for the organizations, including for example:

  • Doctors’ offices, dental offices, ambulatory care centers and health-related clinics
  • Hospitals, academic health centers and nursing homes
  • Pharmacies and medical device providers
  • Home healthcare and visiting nurse agencies
  • Health plans, health insurance companies, and health maintenance organizations
  • Government programs that pay for healthcare (e.g., Medicare, Medicaid)
  • Healthcare clearinghouses

KEY TIP: some organizations, such as FSU, are considered "hybrid entities" since only certain units of an organization may meet the definition of what would otherwise be considered a covered entity; these units are often referred to as health care or covered components. If you are unsure about whether any particular FSU unit is a health care or covered component for purposes of the HIPAA Privacy Rule, be sure to contact the unit's legal counsel or privacy officer. 

HIPAA Authorization

Under the HIPAA Privacy Rule, some uses and disclosures of PHI do not require an individual's authorization; these include uses and disclosures of PHI for purposes of treatment, payment, and health care operations. However, unless expressly excepted under the HIPAA Privacy Rule, uses and disclosures of PHI in other circumstances will require specific authorization from the individual about whom the PHI pertains.

An authorization is a detailed document that grants to covered entities and others that may be listed in the authorization the individual's permission to use their PHI for specified purposes (which uses are generally other than the covered entity's treatment, payment, or health care operations) or to disclose PHI to another third party that is named or identified in the authorization.

All authorizations must include certain elements or features; these include a description of the PHI for which use or disclosure is permitted, the person authorized to make the use or disclosure, the person to whom the covered entity may make the disclosure, an expiration date, and in some cases the purpose for which the PHI may be used or disclosed.

Key Tip: One important exception to the requirement for an authorization includes uses and disclosures for research, but only under certain circumstances, such as an IRB's approval of a waiver of the authorization requirement based upon satisfying specific criteria; if such criteria cannot be satisfied, researchers may try to obtain an individuals' authorization. Refer to the FSU IRB HIPAA-related Requirements section below.

In order to be considered a valid HIPAA authorization, the following elements or features, among others, need to be included:

  1. The authorization may not be combined with any other document such as a consent for treatment. However, an authorization may be combined with an informed consent document used for research purposes.
  2. The authorization must contain certain core elements:
    • A description of the PHI to be used or disclosed that identifies the PHI in a specific and meaningful fashion.
    • The name or specific identification of the person(s) or class of person(s) authorized to make the use or disclosure.
    • The name or identification of the person(s) or class of person(s) to whom the covered entity may make the requested use or disclosure.
    • A description of each purpose for the requested use or disclosure. If the individual about whom the PHI pertains initiates the authorization, a statement that the disclosure is “at the request of the individual” will be considered sufficient.
    • An expiration date or description of the event that relates to the individual or the purpose of the use or disclosure (e.g., “until completion of the study”).
    • The date and signature of the individual about whom the PHI pertains or their personal representative.
    • If the authorization is signed by the personal representative, a description of the personal representative’s authority to act for the individual.
  3. The authorization must also include several required statements regarding the individual's rights, including:
    • The individual or their personal representative has the right to revoke the authorization at anytime by submitting a written revocation, except to the extent the covered entity has taken action in reliance on the authorization.
    • The covered entity generally may not condition its services on the provision of the authorization except (i) for research-related treatment, or (ii) if the purpose of the service is to create information for disclosure (e.g., an employment physical), in which case the covered entity may refuse to provide the services if the individual refuses to sign an authorization.
    • The PHI disclosed in accordance with the authorization may be subject to re-disclosure by the PHI recipient and no longer protected by the HIPAA Privacy Rule.

Limited Data Sets and Data Use Agreements

The HIPAA Privacy Rule permits a Covered Entity, without requiring that researchers obtain an individual's Authorization or that a Covered Entity review and approve of a researcher's application for a waiver or an alteration of an Authorization, to use and disclose Protected Health Information (PHI) in a Limited Data Set (LDS), provided certain requirements are satisfied. These include the requirement that the Covered Entity using or disclosing PHI in a LDS and the recipient researcher enter into and execute a Data Use Agreement (DUA) that establishes the terms and conditions for the use and disclosure of the LDS PHI. Learn more about Limited Data Sets and Data Use Agreements in the panels below.

The HIPAA Privacy Rule may apply to your FSU research when you- 

  1. Use, receive, and/or disclose PHI from any covered entity (whether a FSU covered or health care component, a non-FSU covered entity, or their business associates)
  2. You maintain PHI within a covered entity
  3. You are a covered entity

If you will be using PHI in your research, you must comply with the HIPAA Privacy Rule procedures of the covered entity from which the PHI will be obtained. If you are not sure whether individually identifiable health information is PHI or the non-FSU source of the information is a covered entity, request clarification and documentation from the Privacy Officer or legal counsel of the source of the information.

Covered and health care components at FSU

Generally, the following may be covered or health care components at FSU:

  • Health clinics and their staff who transmit PHI electronically for one or more covered transactions (e.g., health care claims, billing and payment; treatment authorizations and referrals). 
  • Other providers and independent health services and other practitioners who transmit PHI electronically for one or more covered transactions (e.g., health care claims, billing and payment; treatment authorizations and referrals). Other providers and practitioners may include social service agencies, psychologists, psychotherapists, counselors and licensed clinical social workers, to name a few.

If you are not sure whether the source of the individually identifiable health information is a covered or health care component at FSU, request clarification and documentation from the FSU Privacy Officer or legal counsel of the FSU source (College, School, department or clinic) of the information.

FSU PHI

FSU Protected Health Information (PHI) is any "individually identifiable health information" that is created or maintained by a FSU covered or health care component.

  • FSU PHI is health information plus identifiers. It is health information that includes or is able to be linked to the identity of the subject.
  • The sources of PHI may be living participants, deceased persons, human tissue samples, databases, or repositories.
  • All forms of FSU PHI are protected (i.e., electronic transmissions and media, paper, verbal, tissue samples, photographs, audio/visual recordings).

Regardless of the relationship of the FSU researcher to FSU (i.e., faculty, adjunct, staff, student, resident) and to a covered entity (i.e., full-time or part-time employee, consultant, outside research investigator, or student in a field placement), the FSU researcher must follow the procedures of the covered entity from which PHI will be obtained.

Examples of PHI

  • Within an FSU Covered Entity: The FSU researcher wants to obtain individually identifiable health information from an FSU Covered Entity for the purpose of conducting research. Because the information originates within a Covered Entity, such information is PHI. Because this is a FSU Covered Entity, the researcher must follow FSU procedures to obtain an authorization or a waiver of authorization before using the PHI.
  • Within a non-FSU Covered Entity: The FSU researcher wants to obtain individually identifiable health information from a non-FSU Covered Entity for the purpose of conducting research. Because the information originates within a Covered Entity, such information is PHI. Because this is not an FSU Covered Entity, the researcher must follow that Covered Entity's procedures and ensure that the proper Authorizations or Waivers are in place before using the PHI. Note that this has been the most commonly followed procedure involving FSU researchers.

Examples that are not PHI

  • Non-treatment data obtained directly from subjects within a Covered Entity: The FSU researcher is not a Covered Entity and is not providing treatment to the subjects. The researcher wants to obtain individually identifiable health information directly from research subjects located within a Covered Entity using methods that are not part of the subject's treatment (e.g., through interviews, surveys, or scales) and the information obtained will not become part of the medical/treatment records. For example, a study recruits patients from the waiting room of a hospital and the researcher interviews them about specific health practices. The researcher is not part of the covered entity and the researcher has no plans to maintain this data within the covered entity. Although this study collects health related information, and it occurs within a Covered Entity, it is not PHI because it is not going to be maintained within the covered entity and it does not result from treatment or come from medical charts maintained by the Covered Entity but is provided directly to the interviewer by the research participant. Because it is not PHI, the researcher may use or disclose it without regard to the Privacy Rule (note that if this is IRB approved research, the researcher will still have to maintain confidentiality, etc., as required in the consent document).
  • Data obtained from a non-FSU Covered Entity: The FSU researcher wants to obtain individually identifiable health information from a source at an HMO. The researcher is not a Covered Entity and is not an employee of the Covered Entity (HMO) where the data will be obtained. Because the source of the data is a Covered Entity, the information starts out as PHI. The researcher must follow the HIPAA procedures of that Covered Entity (the HMO) and ensure that the proper Authorizations or Waivers are in place before using the PHI. However, once the researcher has received the PHI from the Covered Entity, it is no longer PHI and the researcher may use or disclose it without regard to the Privacy Rule. This is the most common situation where FSU researchers interface with HIPAA to date.
  • Data obtained from a source that is not a Covered Entity: The researcher is not a Covered Entity and obtains individually identifiable health information directly from the research subject (e.g., through interviews, surveys, or scales). For example, a study recruits chronically ill individuals from a support group and the researcher interviews them about their pain tolerance. Although this study collects health related information, it is not PHI because it does not come from a Covered Entity. Because it is not PHI, the researcher may use or disclose it without regard to the Privacy Rule. However, if the researcher will use or maintain this individually identifiable health information within a Covered Entity, then it is PHI and the researcher must follow the Covered Entity's procedures and ensure that the proper Authorizations or Waivers are in place before using the PHI.

If the HIPAA Privacy Rule applies to your FSU research and the planned use and/or disclosure of PHI, then you must:

(1) obtain from each individual about whom the PHI pertains (or their personal representative), their HIPAA Authorization to use/disclose their PHI; and/or,

(2) request and be granted a Waiver or Alteration of HIPAA Authorization in accordance with the procedures required by the covered entity from which or whom the PHI will be obtained; and/or,

(3) request and be approved for the use or disclosure of PHI in a Limited Data Set through an executed Data Use Agreement; and/or,

(4) certify that use or disclosure of PHI is only to prepare a research protocol or to conduct research on decedents.

Strict conditions and limitations apply for each of the above (1)-(4). Related documents and materials must be included in your RAMP IRB submissions for FSU IRB review and approval. Any submissions in which these documents or materials are incomplete, missing or incorrect will be returned to you for correction. Please plan carefully and accordingly.

Refer to the HIPAA Authorization and Waiver of HIPAA Authorization panels below to learn more. Refer to our HIPAA Forms link at the bottom of this page to access key HIPAA and Research-related templates.

 

A HIPAA Authorization is a document by which an individual about whom PHI pertains provides the Covered Entity with permission to use or disclose the individual’s PHI, including for a research purpose. A HIPAA Authorization is required for use or disclosure for research purposes of any Covered Entity’s PHI that is not a Limited Data Set (LDS) (i.e., the PHI consists of identifiers other than those permitted for a LDS) or for which use or disclosure a Waiver of HIPAA Authorization has not been approved. Refer to the Limited Data Set definition and the following explanation of a Waiver of HIPAA Authorization for additional information.

A HIPAA Authorization must contain specific required elements in order to be considered valid under the HIPAA Privacy Rule. See the OHSP HIPAA forms page [link] to obtain the FSU DUA template for a Research Authorization For Use and Disclosure of PHI. Note that non-FSU Covered Entities may have and require use of their own HIPAA Authorization forms.

A Waiver or alteration of HIPAA Authorization may be requested for the use and disclosure of PHI for research purposes, which waiver or alteration an application or request is reviewed and approved by a Covered Entity’ Privacy Board or IRB, and for which the Covered Entity’s PHI is neither a Limited Data Set accompanied by a Data Use Agreement (see definitions), nor expressly permitted under a valid HIPAA Authorization. A Covered Entity Privacy Board or IRB’s approval of an application or request for a waiver or alteration of HIPAA Authorization is an exception to the general requirement for a HIPAA Authorization, and may not be approved by a Covered Entity’s Privacy Board or IRB unless very specific criteria and other requirements are satisfied.

See the OHSP HIPAA forms page [link] to obtain the FSU template for an Application for Waiver or Alteration of Authorization for Use and Disclosure of PHI, and refer to the IRB's HRP-441 - CHECKLIST HIPAA Waiver of Authorization to see what specific criteria and requirements must be satisfied before the IRB will approve of the waiver or alteration request. Note that non-FSU Covered Entities may have and require use of their own waiver forms for use and disclosure of their PHI.

Also note that while the FSU IRB may upon a researcher’s application approve of a waiver or alteration of HIPAA Authorization for use or disclosure for research purposes of FSU PHI, the FSU IRB does not approve of applications or requests for waivers or alterations of HIPAA Authorization for the use or disclosure of non-FSU PHI; this is because the non-FSU Covered Entity, not FSU, is legally responsible under the HIPAA Privacy Rule for use and disclosure of its own PHI. However, the FSU IRB will still require documentation of a non-FSU Covered Entity Privacy Board or IRB’s approval of a waiver or alteration of HIPAA Authorization for use or disclosure for research purposes of the non-FSU Covered Entity’s PHI. See the OHSP HIPAA forms page [link] to obtain the FSU template for an Application for Waiver or Alteration of Authorization for Use and Disclosure of PHI.

Select authoritative information and links, with annotations, are provided below. Additional resources will be added when available and reviewed. Contact humansubjects@fsu.edu with requests for additional information.
  1. Health Insurance Portability and Accountability Act of 1996 (HIPAA); Administrative Data Standards and Related Requirements, Title 45 of the U.S. Code of Federal Regulations (CFR), Parts 160, 164 (45 CFR 160, 164) (aka “HIPAA Privacy Rule”) [link].
    • Use the Browse tab and scroll to Title 45, click, and on the ECFR Content page click on Subchapter C; Parts 160-164 are available for viewing.
    • The Electronic CFR provides access to web version of CFR; the eCFR is updated daily as regulations are promulgated and published in the U.S. Federal Register; easier to navigate than the official CFR in its pdf format.
  2. Office for Civil Rights (OCR), U.S. Department of Health and Human Services; Health Information Privacy page [link]
    • The OCR is the federal entity authorized by law to enforce the HIPAA Privacy Rule.
    • Go to the HIPAA for Professionals page [link]; under Special Topics, click on Research to find out more about OCR’s thinking on the topic, and to access useful fact sheets and other resources pertaining to HIPAA and research.
  3. HIPAA for Professionals; Special Topics; Research [link]
    • U.S. Department of Health and Human Services (DHHS) web site with an overview and explanations of HIPAA Privacy Rule provisions of interest to the research community.
  4. National Academies: Beyond the HIPAA Privacy Rule: Enhancing Privacy, Improving Health Through Research (PDF available here or from the National Academies Press at: http://www.nap.edu/catalog/12458.html)
    • This Institute of Medicine Committee on Health Research and the Privacy of Health Information’s monograph is a detailed, in-depth review of the impact of the HIPAA Privacy Rule on research and proposed recommendations for balancing privacy of identifiable health information and facilitating health research.
  5. National Institutes of Health
    1. Research Repositories, Databases and the HIPAA Privacy Rule (NIH Publication No. 04-5489 (2004)) [link]
      • A U.S. National Institutes of Health (NIH) factsheet that gives an overview of the HIPAA Privacy Rule with special application to creation and use of research repositories that may contain Protected Health Information; includes links to other related factsheets as well as some FAQs.
    2. Protecting Personal Health Information in Research: Understanding the HIPAA Privacy Rule (NIH Publication No. 03-5388) [link]
      • This NIH booklet, directed towards the research community, includes information about how researchers are directly and indirectly impacted by HIPAA Privacy Rule requirements; includes comparison with other relevant federal regulations, and explanations of individual’s rights.
  6. Healthcare Information and Management Systems Society (HIMSS) [link]
    • HIMSS is a large membership and credentialing organization providing expertise and resources to advance global health through information and technology; at this site can be found a wide range of resources regarding cybersecurity, informatics and privacy. Some content is freely available and other may be purchased.
  7. HIPAA Privacy Rule & Research algorithm [link] Click on the link to this OHSP document to find out IF and HOW the HIPAA Privacy Rule requirements may apply to your FSU research if you use health information. Decision points and pathways, including detailed notes, are provided to guide you to answers, explanations, links and the applicable requirements as well as your next steps.

Authorization: An individual's written permission (signed by the individual or his/her Personal Representative) to allow a covered entity to use/disclose specified PHI for a particular research study. Except as otherwise permitted by the HIPAA Privacy Rule, a covered entity may not use or disclose PHI for research purposes without a valid Authorization.

Accounting for Disclosures of PHI: Information that describes a covered entity's disclosure of PHI that has taken place within six (6) years of the date of the request (excluding any disclosures taking place prior to the Compliance Date). Accounting of disclosures is not required in the following situations:

  • disclosures for treatment, payment, and health care operations ("TPO")
  • disclosures made pursuant to valid Authorizations
  • disclosure of Limited Data Sets
  • disclosure of de-identified data
  • disclosures of PHI prior to April 14, 2003

Covered Entity:

  1. A health plan,
  2. A health care clearinghouse, and
  3. A health care provider who transmits any health information in electronic form (once deemed a covered entity, any PHI regardless of format, e.g., print or electronic, is subject to the HIPAA Privacy Rule)

Data Use Agreement (DUA): An agreement pertaining to a Limited Data Set (LDS) that specifies permitted uses and disclosures, specifies who may use or receive the data set, restricts further use and disclosure, and restricts re-identification of the individual or contact with the individuals. (This agreement may take the form of a formal contract or of a confidentiality agreement).

De-Identified Data: Data that does not identify an individual and with respect to which there is no reasonable basis to believe that information within the data can be used to identify an individual.

The Privacy Rule provides two routes by which data may be de-identified. The first route is to remove a list of all eighteen (18) direct identifiers (see below) that could be used to identify the individual; a relative of the individual; employer; or household members of the individual. These identifiers are enumerated in the HIPAA Privacy Rule. The second route is to obtain the services of an expert who can determine and document, using generally accepted statistical and scientific principles and methods, that there is only a 'very small' risk that the information in a data set could be used to identify the subject of the information.

Direct Identifiers:

  1. Names
  2. All geographical subdivisions smaller than a state, including street address, city, county, precinct, Zip Code, and their equivalent geographical codes, except for the initial three digits of a Zip Code if, according to the current publicly available data from the Bureau of the Census:
    1. The geographic unit formed by combining all ZIP Codes with the same three initial digits contains more than 20,000 people.
    2. The initial three digits of a ZIP Code for all such geographic units containing 20, 000 or fewer people are changed to 000.
  3. All elements of dates (except year) for dates directly related to an individual, including birth date, admission date, discharge date, date of death; and all ages over 89 and all elements of dates (including year) indicative of such age, except that such ages and elements may be aggregated into a single category of age 90 or older.
  4. Telephone numbers
  5. Facsimile numbers
  6. Electronic mail addresses
  7. Social security numbers
  8. Medical record numbers
  9. Health Plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web universal resource locators (URLs)
  15. Internet protocol (IP) address numbers
  16. Biometric identifiers, including fingerprints and voiceprints
  17. Full-face photographic images and any comparable images
  18. Any other unique identifying number, characteristic, or code

Disclosure: The release, transfer, access to, or divulging of PHI in any manner outside the covered entity holding the PHI.

Individually Identifiable Health Information: Information that includes demographic information collected from an individual, and

  1. is created or received by a health care provider, health plan, employer, or health care clearinghouse; and
  2. relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual; and (a) that identifies the individual; or (b) with respect to which there is a reasonable basis to believe the information can be used to identify the individual.

Limited Data Set (LDS): A data set that excludes the majority of the eighteen (18) direct identifiers of the individual, relative, employers and/or household members of the individual. In a limited data set, certain geographic information smaller than a state (e.g., city, state, full ZIP code), and dates directly related to an individual (e.g., birth date, admission date, discharge date, service dates) may be retained.

Limited data sets can be used or disclosed, for purposes of research, public health, or health care operations, without obtaining either an individual's Authorization or IRB waiver or an alteration of Authorization for its use and disclosure, so long as a Data Use Agreement (DUA) is in place. IRB review and approval of the study is still however required.

Minimal Risk to the Privacy of the Individual: The amount of risk, harm or discomfort, that an individual will ordinarily encounter in day-to-day activities.

Personal Representative: A person who is legally authorized to act on behalf of an individual in making health care related decisions, including signing an Authorization.

Privacy Board: A Board that is established to review and approve requests for waivers or alterations of Authorizations in connection with a use or disclosure of PHI.

A Privacy Board consists of members with varying backgrounds and appropriate professional competencies as necessary to review the effect of the research protocol on an individual's privacy rights and related interests. The Board must include at least one member who is not affiliated with either the covered component (covered entity) or with the entity that is conducting or sponsoring the research, and not related to any person who is affiliated with any such entities. Also, it must not have any member participating in a review of any project in which the member has a conflict of interest. The FSU IRB does not serve as a Privacy Board with regard to any waiver of Authorization for non-FSU PHI for research purposes.

Protected Health Information (PHI): Individually identifiable health information transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. Education records covered by FERPA, and employment records held by a 'covered entity' in its role as an employer, are excluded from this definition.

Research: A systematic investigation, including research development, testing and evaluation, designed to develop or contribute to generalizable knowledge. This includes the development of research repositories and databases for research.

Reviews Preparatory to Research: Using/reviewing PHI for the purposes of developing a research protocol or a similar activity in preparation of formulating a research hypothesis. This may include review of PHI to ascertain eligibility of individuals as prospective human research participants (human subjects).

Use: The sharing, application, utilization, examination, analysis, or employment of Individually Identifiable Health Information within an entity that maintains such information.

Waiver, Partial Waiver or Alteration of Authorization: The document by which an IRB or Privacy Board has documented approval of a request to waive or alter the requirements of the HIPAA Privacy Rule for a valid Authorization for the use and/or disclosure of PHI.

HIPAA Forms

Click the above or this HIPAA Forms link to access select HIPAA and Research-related templates, including our Research Authorization, Application for Waiver/Alteration and Data Use Agreement forms. Annotations and brief instructions about the use of these templates are provided.